Wednesday, December 18, 2013

“He’s very passionate; he uses a lot of italics and exclamation points,” Orin S. Kerr, a professor at the George Washington University Law School and a defender of the N.S.A.’s surveillance programs said referring to the way Judge Leon wrote the decision. Mr. Kerr said he found the judge’s ruling short “on legal reasoning.” (source: The New York Times)

There are several exclamation points in this decision. Judge Leon plainly feels that he has been lied to, and that we all have been. And he seems to be done with it. (source: The New Yorker)

Considering the above comments about Judge Leon's use of exclamation points, I thought it might be interesting to see what prompted them. I read his 68 page decision, and found that Judge Leon used exclamation points three times. Here are those instances.

"The Government argues that Judge Vinson's order names only Verizon Business Network Services ("VBNS") as the recipient of the order, whereas plaintiffs claim to be Verizon Wireless subscribers."

"Put simply, the Government wants it both ways. Virtually all of the Government's briefs and arguments to this Courst explain how the Government has acted in good faith to create a comprehensive metadata database... - in which case the NSA must have collected metadata from Verizon Wireless, the single largest wireless carrier in the United States, as well as AT&T and Sprint, the second and third-largest carriers."

"Yet in one footnote, the Government asks me to find that plaintiffs lack standing based on the theoretical possibility that the NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function. Candor of this type defies common sense and does not exactly inspire confidence!" (p. 38)

2. The Collection and Analysis of Telephony Metadata Constitutes a Search.

"First, the pen register in Smith was operational for only a matter of days between March 6, 1976 and March 19, 1976, and there is no indication from the Court's opinion that it expected the Government to retain those limited phone records once the case was over.

"In his affidavit, Acting Assistant Director of the FBI Robert J. Holley himself noted that "[p]en-register and trap-and-trace (PR/TT) devices provide no historical contact information, only a record of contacts with the target occurring after the devices have been installed."

"This short-term, forward-looking (as opposed to historical), and highly-limited data collection is what the Supreme Court was assessing in Smith. The NSA telephony metadata program, on the other hand, involves the creation and maintenance of a historical database containing five years' worth of data."

"And, I might add, there is the very real prospect that the program will go on for as long as America is combatting terrorism, which realistically could be forever!" (p. 47)

3. The Public Interest and Potential Injury to Other interested Parties Also Weigh in Favor of Injunctive Relief.

"("[T]he public interest lies in enjoining unconstitutional searches.") That interest looms large in this case, given the significant privacy interests at stake and the unprecedented scope of the NSA's collection and querying efforts, which likely violate the Fourth Amendment. Thus, the public interest weighs heavily in favor of granting an injunction."

"The Government responds that the public's interest in combating terrorism is of paramount importance - a proposition that I accept without question. But the Government offers no real explanation as to how granting relief to these plaintiffs would be detrimental to that interest. Instead the Government says that it will be burdensome to comply with any order that requires the NSA to remove plaintiffs from its database."

"Of course, the public has no interest in saving the Government from the burdens of complying with the Constitution!" (p.65-66)

---------

Here's the full opinion. It's well-worth reading. The fact is that our interaction with and reliance upon technology has fundamentally changed what privacy means to us today and that will certainly change even more tomorrow. Past court decisions from 30 years ago and longer which have informed current laws protecting our Fourth Amendment rights should be re-visited and updated to meet today's new reality of instant communication, geolocation, and data analytics.

Sunday, December 8, 2013

O'Reilly Media, the publisher of my book Inside Cyber Warfare, has produced a video compilation of our Suits and Spooks event. I'm proud to say that this is the first non-O'Reilly conference that they have produced for sale and it looks great. It doesn't include every speaker because some of the talks were under Chatham House rules, but here are the speakers that are included:

The Top 50 Non-state Hacker Groups in the World - Christopher Ahlberg (CEO of RecordedFuture)

Out of the Mountains: A Future of Feral Cities, Urban Systems Under Stress, and Increasing Overlaps Between the Real and Virtual Worlds - David Kilcullen (CEO of Caerus Associates)

Tuesday, December 3, 2013

At Suits and Spooks events, we always have world-class speakers. But for 2014, I wanted to offer world-class training as well. For example, in January we're featuring:

CARMEN MEDINA: Specialist leader at Deloitte Consulting LLP after retiring from an almost 32 years-career at the Central Intelligence Agency where her roles included Director of the Center for the Study of Intelligence (CSI); the Deputy Director for Intelligence, and Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

LANCE COTTRELL: Chief Scientist at Ntrepid Corp. and the founder and principal at Obscura Security. He founded Anonymizer Inc. in 1995, and is an internationally recognized expert in cryptography‚ online privacy‚ and Internet security.

ROB DUBOIS: Security advisor, smart power authority and retired U.S. Navy SEAL with experience in more than thirty nations. He recently served as the operations manager for the Department of Defense Red Team where his innovative tactics earned him the reputation of the U.S.’s “top terrorist”. Rob has provided his “Think like the Adversary” workshop to elite military units in combat zones, Fortune 500 companies, and agencies including the National Counterterrorism Center.

Originally, in order to attend a workshop you needed to also register for the conference. I've changed that policy so now you can take the training without having to register for Suits and Spooks DC, or you can register for both. Basically, it's now your choice.

Finally, in order to help us fill up these courses so as to have a more effective test on whether this is something that we continue to offer at Suits and Spooks events, I've lowered the tuition by 33% on all 3 courses until December 20th.

You can get complete details on each course by clicking on the course title, or call us with any questions you may have. Please help spread the word about this unique opportunity to learn from these highly esteemed professionals. Depending on our enrollment numbers, it may be the only time that we offer it.

Monday, December 2, 2013

Last night, my Google Alert for Huawei captured an intriguing headline: "Huawei exiting US market: CEO". The article appeared in Global Times, a Chinese paper that's part of Peoples Daily. Here's the opening paragraph:

Chinese telecommunications equipment maker Huawei Technologies Co Ltd has exited the US market in order not to affect Sino-US relations, Ren Zhengfei, founder and CEO of Huawei, said in an interview in Paris, news portal 163.com reported Sunday.

Upon first reading, this raised a lot of questions in my mind regarding Huawei's current U.S. operations. It has offices in a number of U.S. cities and has already sold quite a bit of equipment to both U.S. corporations and the U.S. government. What would happen there, I wondered?

Fortunately, I was able to reach Bill Plummer, Huawei's VP of External Affairs by email and received the following clarification:

Huawei has prioritized markets that welcome competition and investment, such as Europe.

That said, we remain committed to our customers, employees, investments and operations and more than $1 billion in sales in the U.S., and we stand ready to deliver additional competition and innovative solutions as desired by customers and allowed by authorities.

So basically what seemed like a radical change of strategy is actually something very practical. Huawei isn't pulling out of the U.S. physically nor is it abandoning its current U.S. customers. It is simply re-allocating its resources to increase sales in those parts of the world where it is welcome to compete.

Personally, as someone who has been a frequent critic of Huawei, I think it's a smart strategy. They're already the world's largest telecommunications hardware manufacturer. Why should they risk engendering more controversy by continuing to battle against U.S. government resistance when it will do nothing to improve their bottom line? In my opinion, Huawei's combination of low prices and quality manufacturing will eventually force adoption by U.S. corporations and government agencies. It might take years but I think that will be the inevitable outcome.

In the meantime, instead of hoping that the U.S. government will keep potential adversary states from selling them risky devices, U.S. companies should incentivize cyber security researchers to find ways to automatically test firmware updates for exploits. Currently, whether the hardware is made by Huawei, ZTE, or Dell, firmware updates are loaded automatically with no testing. If, down the road, a foreign intelligence agency (Chinese or otherwise) wants to compromise a strategically placed router made by a company that it has legal authorities over by adding a bit of malicious code, a firmware update is one of the easiest ways to do it.

As a side note I'm happy to say that both Bill Plummer and Andy Purdy (Huawei's CSO) will be at Suits and Spooks DC. Andy will be speaking on a panel that I'm moderating which will explore cyber security risks in the supply chain. We still have about 28 seats available if you'd like an opportunity to discuss Huawei and related cyber security issues with a couple of the company's executives face-to-face.

Sunday, November 24, 2013

"In evaluating open-source documents, collectors and analysts must be careful to determine the origin of the document and the possibilities of inherent biases contained within the document."
- FM2-22.3: Human Intelligence Collector Operations, p. I-10

"Source and information evaluation is identified as being a critical element of the analytical process and production of intelligence products. However there is concern that in reality evaluation is being carried out in a cursory fashion involving limited intellectual rigour. Poor evaluation is also thought to be a causal factor in the failure of intelligence."
- John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task"

These two quotes illustrate the long-running problem that has plagued commercial cyber security reporting for many years. There are very few unclassified OSINT standards of source evaluation and even less for cyber threat intelligence; at least that I could find while doing research for this article.

The field of cyber intelligence is fairly new and fortunately, thanks to the Software Engineering Institute at Carnegie Mellon and the work of Jay McAllister and Troy Townsend, we can take a credible look at the state of the practice of this field:

"Overall, the key ﬁndings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate ﬁndings and performance measures to leadership."
- McAllister and Townsend, The Cyber Intelligence Tradecraft Project

The one thing that isn't covered in their report is the issue of source validation and how that contributes to the validity or value of the intelligence data received. However they did write a follow-up white paper with Troy Mattern entitled "Implementation Framework - Collection Management (.pdf)"

Please take some time to study the framework and read the white paper. It's an ambitious and very thorough approach to helping companies understand how to get the most value from their cyber intelligence products. Unfortunately, while it specifies data evaluation and source validation, it doesn't provide any specific guidelines on how to implement those two processes.

A PowerPoint version of Noble's paper is also available. Here are a few of the slides from that presentation:

We recognize these failings when it comes to human intelligence collection but for some reason we don't recognize them or watch for them when it comes to OSINT. The crossover application seems obvious to me and could probably be easily implemented.

Again, these scales were developed to evaluate human sources, not published content, but they certainly seem applicable with some minor tweaking.

It's important to note that only part of the problem lies in the lack of source evaluation methods. Another very large contributing problem is the lack of standardized cyber intelligence tradecraft pointed out by McAllister and Townsend in their Cyber Intelligence Tradecraft paper:

"Tradecraft: Many government organizations have adopted the intelligence community standard of consistently caveating threat analysis with estimative language and source validation based on the quality of the sources, reporting history, and independent veriﬁcation of corroborating sources. Numerous individuals with varying levels of this skillset have transitioned to cyber intelligence roles in industry and academia, but the practice of assessing credibility remains largely absent. The numerous analytical products reviewed for the CITP either did not contain estimative or source validation language, or relied on the third-party intelligence service providing the information to do the necessary credibility assessment." (p.11)

And of course due to the newness of the field there's no standard yet for Cyber Intelligence training (McAllister and Townsend, p. 13).

IN SUMMARY

There are numerous examples of cyber security reports produced by commercial and government agencies where conclusions were drawn based upon less than hard data, including ones that I or my company wrote. Unless you're working in a scientific laboratory, source material related to cyber threats is rarely 100% reliable. Since no one is above criticism when it comes to this problem, it won't be hard for you to find a report to critique. In fact, it seems like a different information security company is issuing a new report at least once a month if not once a week so feel free to pick one at random and validate the sources using any of the resources that I compiled for this article.

If you know of other source evaluation resources, please reference them in the comments section.

If you're a consumer of cyber intelligence reports or threat intelligence feeds, please ask your vendor how his company validates the data that he's selling you, and then run it through your own validation process using one of the tools provided above.

I'd love to hear from any readers who implement these suggestions and have experiences to share, either in confidence via email or in the comments section below.

UPDATE (11/24/13): A reader just recommended another excellent resource: Army Techniques Publication 2.22-9 "Open Source Intelligence". It discusses deception bias and content credibility, both of which must be accounted for in source validation.

So let's put aside the isc2 ethics violation by TrustedSec that this "report" is and instead focus upon its content."

The report is split into two parts, one based upon public open source intel gathering, and on upon actual "analysis". Contrary to what Goebbels might say, repeating a lie does not make it true. The first half of the "analysis" consists of misquotes and out of context statements about news reports, blog postings and the Heritage foundation (an anti-Affordable Care Act org).

They extrapolate from news articles and jump to conclusions that would be laughed out of a Bsides conference, let alone a court of law. Most of the "observations" are generic in nature with no supporting detail. Everything is anecdotal. Everything is hearsay. There is no direct observation of any vulnerability, and only "potential risks".

Many of the articles highlight pre-launch issues that have since been resolved, and others are issues common to most web application (hello, user enumeration? Seriously? Any site with a unique user account has this issue).

This lack of substance extends to the second part of the "analysis" which shows a lack of understanding of both what healthcare.gov is and what security is.

In the professional world of cyber security there are two concept at the heart of computer forensics; peer review and reproducibility. Professionals understand that their word is not enough and they actually have to show something that the community and their peers can reproduce. None of their findings are "reproducible" vulnerabilities. They are all vague possible-maybe-there-could-be risks, or worse yet, a gross misunderstanding of what they are "analyzing."

They raise issues with things like the Terms of Service (TOS).

They raise issues with data.healthcare.gov.

Healthcare.gov is not just a website, it is a complex node in a web of Federal, State, and private systems that interconnect to produce the healthcare.gov site. The data in it comes from state exchanges, medicare, the IRS, SSA, and other Federal/state agencies, plus private insurers. It's not just a webserver/webapp with a back end database like something circa 2003.

They raise an issue that data will be shared with outside agencies which shows they don't understand what healthcare.gov is. Then they raise another issue about public profiles on the data.healthcare.gov site. The fact is that Data.healthcare.gov is an open data initiative based on the data gathered from insurers. Public profiles are a feature, not a bug, of that SEPARATE platform.

These two examples show the lack of due care conducted on this analysis. Please take a moment to read the "results" [CARR: A link to TrustedSec's report is provided below]. The level of writing and actual deliverable are so laughable that if a contractor had produced this for my agency I would have terminated their contract on the spot. (The report shows) no due diligence, sloppy work, and worst of all it is wrong in its "conclusions".

Determinations need proof beyond media quotes and theoretical issues. They need to be based in fact.

------------------------

Here's a link to TrustedSec's public report (.pdf) for those readers who wish to review it and assess the above criticism for themselves. Comments are open.

UPDATE (12/13/13): "On December 11, in order to address ongoing questions, Committee members and staff received a classified briefing from Dr. Kevin Charest, the HHS Chief Information Security Officer, and Ned Holland, HHS Assistant Secretary for Administration. Portions of this briefing were classified to protect information relevant to national security. This memo contains a summary of the unclassified portion of the briefing."

Friday, November 15, 2013

Taia Global regularly produces custom reports on foreign research and development activities in Russia and China. Our most recent report examines Russian Venture Capital (RVC), an Open Joint Stock company (OAO RVC) with initial funding from the Investment Fund of Russia through the Federal Agency for STate Property Management (Rosimuschestvo). It's charter allows RVC to invest both domestically and overseas. RVC's Board of Directors limited investments by RVC to companies with products on the Russian government's critical technologies list.

This report is 17 pages long with graphics and two appendices, including the above-mentioned critical technologies list. We examined the background of RVC's executives as well as the firm's investments and its U.S. affiliations.

We are offering this report for a limited time to non-subscribers for $225. Interested parties may order via this link or by calling (855) 877-8242.

Friday, November 1, 2013

The Level 3 Communications (NYSE: LVLT) blog recently published an article entitled "Say Goodbye to the Physical-Digital Divide." It's a light-hearted, upbeat corporate feel-good piece about how television shows are become Twitter-enabled. It's also a very disturbing piece when you realize that Level 3 is one of the Tier 1 backbone providers who has assisted the NSA in its collection efforts:

This is an exciting time! Not only for Joe Consumer, who is being further enabled (and actively encouraged) to merge his offline and online behavior, blurring the lines of the physical-digital divide, but also for major content providers – many of whom we’re fortunate enough to call customers. This is the new model of content consumption. Always-on and always-available. Cross-media and cross-platform.

Think about that from the standpoint of legal intercepts and data collection, and you'll see my point. We used to be vulnerable based upon what we read at the library, what we threw away in our trash, and what we wrote to our friends. Today, that has expanded exponentially and we've lost control of exactly how and where we are vulnerable to exposure.

Now consider that Level 3 is Google's upstream provider. Is that how the NSA was able to intercept the data traveling between Google's data centers? To be clear, Level 3 isn't doing anything illegal, nor is the NSA for that matter. And that's precisely the problem that needs addressing.

In less than 10 years, the physical - digital divide has disintegrated. In less time than it takes a human being to achieve mastery over a skill, technology has exponentially expanded how we interact with each other and, conversely, how we can harm each other.

Intelligence and law enforcement agencies, whose mission is to identify and intercept those who wish to cause us harm, have leveraged legal regimes like the Patriot Act, EO 12333, etc. to gain a foothold within the networks that are the primary supports (i.e., backbone) for our digital environment. The difference between what those out-dated laws still allow and what technology has made possible in the way of data collection and analysis is where our focus needs to be. In other words, the laws must be amended to catch up with how exposed we are in today's digital and physical world so that a better privacy:security balance can be restored.

Wasting time bashing the NSA and other intelligence services does more harm than good because it fails to address the real problem (out-dated authorities that need revising) in favor of lashing out at an easy and unpopular target - the NSA and its fellow agencies who diligently attempt to accomplish the very difficult tasks that we expect from them.

In an effort to help move this debate forward and clarify where reforms are needed, I've set aside two hours for a panel discussion at Suits and Spooks DC on how our parallel needs for security and privacy can be met through reform of the current laws authorizing data collection by the IC. It's not an easy panel to fill, so let me know if you have any suggestions for experts to participate on it. Dr. Catherine Lotrionte of Georgetown University will be the moderator.

Saturday, October 26, 2013

In light of the current tensions between German Chancellor Merkel and President Obama over alleged NSA spying, I found this Der Speigel article in the bookmarks that I keep on nation state espionage:

The BND, Germany's foreign intelligence service, was caught spying on Minister Amin Farhang of the Afghan government via a trojan that they installed on his computer. The campaign lasted for about six months and included collecting the emails of a Der Speigel journalist.

Then in 2009 there was this Der Speigel headline: "BND Infiltrated Thousands of Computers Abroad" - which describes how Germany's foreign intelligence service used keyloggers and other tactics to monitor at least 2500 computers in a highly targeted espionage campaign.

Granted, this is nowhere close to the scale of the NSA revelations, however Chancellor Merkel should certainly be aware that her own intelligence services have engaged in the same activities as everyone else's and her outrage should be tempered accordingly.

Monday, October 21, 2013

As the rush to the Cloud and the aggregation of data in amounts here-to-for unheard of accelerates, the one area that continues to suffer from lack of attention is the use of analytic methods designed to off-set cognitive bias; in other words the rare skill of critical thinking.

This is particularly true among information security companies but it applies across all industry vectors. I've recognized and railed against this problem for years, but now with Suits and Spooks entree into offering workshops, I'm able to offer a solution in the person of Carmen Medina.

Carmen is a CIA veteran of almost 32 years. She was the Director of the Center for the Study of Intelligence (CSI) from January 2007-December 2009. As the CSI Director, she developed and managed CIA’s first Agency-wide Lessons Learned Program. Her record as a visionary analytic thinker and a dedicated, caring leader made her widely recognized--inside CIA and beyond--as an articulate, passionate voice for excellence in intelligence.

From 2005 through 2007, she was the Deputy Director for Intelligence, a member of the executive team that led the CIA’s analytic directorate. In her CIA career, Carmen held positions of increasing responsibility to include Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

By attending Carmen's four hour workshop on Analytic Methodology and Critical Thinking, your analysts will learn:

Different analytic techniques to help organize data.

The value chain of analytic insight.

Question templates to use when evaluating information.

Rules and techniques for using data and information.

Techniques to assist in more rigorous what if and future thinking.

The early bird rate for this workshop is only $495 and attendees must also register for Suits and Spooks DC. Complete information is available here. Register early to save money and to secure your seat.

Sunday, October 20, 2013

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies.

"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do."

- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)

Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

Tuesday, October 15, 2013

According to this Foreign Policy article, someone spear-phished Kevin Mandia, CEO of the information security firm Mandiant, using one or more fake invoices from the company which provides his limo service. According to Mandia the name of his limousine service has never been publicly announced so the question is, how did the attacker know it?

One possibility according to Kevin Mandia is that Chinese foreign nationals have followed him to speaking engagements and observed which car service he used. Personally, I've never seen a limo with a billboard mounted to it or the name painted on the side. When I use Uber, for example, I'm given the license plate number of the driver so that I can tell which black town car is the one I'm waiting for. Usually limos and SUVs that belong to private transportation services are pretty discrete, unlike taxi cabs.

Another possibility is that the someone is targeting CEOs at companies based in MD/DC/VA metroplex with a spear phishing attack that assumes they use a particular high end car service. There's probably not more than a few dozen reputable car services, if that.

Yet another possibility is that the attack came from a disgruntled former employee or competitor with inside knowledge of the Mandiant CEO's travel preferences. I've heard that thanks to Mandiant's rapid growth, it's been actively recruiting security engineers from other companies. That's probably left a bad taste in more than one person's mouth and this might be someone's idea of getting a small measure of revenge.

Or it could be that despite Mandiant's best efforts, an attacker was able to access inside information on the company's network and he sent the email just to stir the pot.

Mandiant's security team believes that they've identified the attacker as an "advanced hacking group back in China". Such groups focus on stealing intellectual property. China, like many states, is investing money in information security research and development. Would Mandiant's intellectual property match and/or accelerate China's own InfoSec R&D priorities? If so, that would be yet another explanation for this attack.

The bottom line is that no one is immune from a motivated attacker; not even a leading information security company.

UPDATE (10/15/13): A reader reminded me of this article which described a Chinese group engaged in espionage-as-a-service via a significant foothold in the travel and tourism industry.

Thursday, October 10, 2013

No, President Obama didn't authorize a CIA direct action against House Tea Party members who are keeping the government closed. The "Collision" that I'm talking about is the Suits and Spooks event that is happening in Washington DC on January 19-21. Some of you know that I've been reluctant to call it a "conference" ever since I created this event in 2011. Finally, thanks to my friend Jim Stogdill at O'Reilly Media, I've got a new name for it - a collision.

It's the perfect word because that's precisely what happens during many of the talks. It's not a Summit where high profile speakers get to express their opinions without the opportunity for audience members to question them. Our speakers understand that the content of their talks can be challenged at any time by the attendees. And since we keep our total attendance capped to under 150 and keep all of the sessions on a single track, there's a lot of interaction taking place that just doesn't happen at any other event. In fact, when you consider who some of our speakers are, that's a remarkable thing to experience.

Here are just a few of the 25 or so high profile speakers that we've lined up for SNS DC:

Barbara M. Hunt: Co-founder of Cutting Edge C.A. who was formerly the Director for Capabilities of Tailored Access Operations at NSA as well as a 20 year veteran technical expert at CIA

David Howe: CEO at Civitas Group; formerly Special Assistant to the President (Homeland Security Council)

Carmen Medina: Career senior national security executive at CIA (retired). Assignments included Director for the Center of the Study of Intelligence; Deputy Director of Intelligence; and Chief of the Strategic Assessments Group, Office of Transnational Issues, Directorate of Intelligence.

Eric O’Neill: Attorney and co-founder, The Georgetown Group; former FBI operative who was instrumental in the Robert Hanssen espionage case.

John Gilkes: Principal, Deloitte Financial Advisory Services; more than twenty years experience in asset tracing and recovery and in the management and conduct of financial/fraud investigations involving wire transfer fraud, bribery/corruption, and extortion.

Another first for Suits and Spooks DC 2014 will be our workshops. We're not a hacker con so you won't find the workshops that you're accustomed to at Blackhat and other events. That's because there's more to cyber security than malware alone. We'll be offering four workshops in January:

Lance Cottrell, the founder of Anonymizer, will teach a half-day workshop on Internet Anonymity and Pseudonymity.

Rob DuBois, a retired Navy SEAL and former director of operations for the Dept of Defense Red Team will teach a full-day course on how to train and operate a full spectrum red team.

Carmen Medina, a former Deputy Director of Intelligence at CIA will teach a half-day course on analytic methods.

Phil Rosenberg and John Gilkes will teach a course on financial fraud investigations and money laundering.

Registration for SNS DC is now open and we're already 25% full. Registration for the workshops is currently open for Lance Cottrell's topic and the others should be ready by next week (separate tuition is charged for the workshops). Here's the link for the SNS DC webpage. See you in January.

And if you're interested in having your company become a sponsor, please shoot me an email.

Monday, September 23, 2013

I'm organizing a complaint to the US Patent and Trademark Office which says that Lockheed Martin (NYSE: LMT) shouldn't be granted a trademark for "Cyber Kill Chain" because it is in common usage. As I wrote earlier, I was surprised that they even filed for a trademark since I was the one who first coined the term (as far as I can tell), but coinage of the phrase isn't enough to defeat Lockheed Martin's attempt to trademark and build a business around it. Common usage, however, is an argument that the US PTO will listen to, especially if we can show a good number of people objecting to its registration.

If you wish to have your name added to my US PTO complaint, please send me an email to that effect. It should include your contact information, how often you've used the phrase, and your objection to LMT's trademarking of it.

Tuesday, September 17, 2013

Suits and Spooks DC is coming up on January 20-21, 2014 and Suits and Spooks Singapore will be March 20-21, 2014. The theme for both conferences will be on how companies can safely conduct business when they operate in what is essentially a digital battlefield. U.S. multinational firms not only have to contend with hacktivists targeting their websites and hacker groups stealing and selling their intellectual property. Their communications are being collected and monitored by most foreign intelligence services and insiders seem to be able to gain access to whatever they want.

If you've got an idea for a topic that fits this theme, please shoot me an email with a title and an abstract. Preliminary information on both events is available at the SuitsandSpooks.com website.

Friday, August 30, 2013

Syria's Ministry of Communications and Technology website is soliciting "experts in the field of Informatics" including in the areas of ethical hacking, computer forensics, incident response, malware analysis, etc. Here's a copy of the original web page in Arabic and the machine translation to English (via Google Translate). If you click on the image, you'll be able to read it better:

Other than this being Syria, it's not unusual for a nation state in today's network-centric environment to want to develop these disciplines. On the other hand, this being Syria, it's hard to imagine anything other than malicious intent for their "ethical hackers".

Thursday, August 29, 2013

What we know: Someone in Syria used Sarin gas and killed an estimated 100,000 people.

What we don't know: Who did it. So far, no evidence has been collected which identifies the culprit. Was it by order of the Assad government, a rogue action by the Syrian military, or something that the rebels did to force engagement by the West against Assad? Currently, it's a judgment call.

What should we do: So far, the only public options that I've heard involve Tomahawk cruise missiles.

One alternative option that should be (and perhaps is being) considered by Western governments is to send a non-lethal message by breaching and taking control of Syria's national power grid and/or its telecommunications infrastructure. This is certainly within the capabilities of Israel and the U.S., and most likely available to other EU allies, not to mention Russia and China.

It's a relatively small grid with only about 14 power generating stations that distribute electricity received from PEDEE (Public Establishment for Distribution and Exploitation of Electrical Energy) including:

Deir Ali Power Generation Station

Teshreen Power Generation Station

Jandar Power Generation Station

Al Zara Power Generation Station

Each of these companies utilizes foreign vendors (another access point) such as the Greek company Metka which services Deir Ali and the Indian company Bharat Heavy Electricals Limited which services Teshreen.

I'll stop there because the goal of this post isn't to create an order of battle, however I do think that putting the Syrian government into a virtual vise where outside nations can control its critical infrastructure should at least be considered alongside Obama's inclination to use cruise missiles. Talk about "deter and degrade" - how much can Assad or anyone else in Syria do without power?

There's been a lot of press today about how the Syrian Electronic Army is using Russian servers and who some of it's early website administrators are. One of Digital Dao's readers sent me an email this morning with some new information from a PhP shell left on a host that points to a Latin American supporter.

Summary

This is a micro example of why it's a mistake to think of the digital landscape as if it's a physical landscape. The Syrian Electronic Army like many of its fellow hacktivist organizations is not limited to Syria's physical borders nor Syrian nationals for its members. In fact, for many hacktivists in particular and some Millennials in general, digital allegiances are replacing physical borders.

We'll be exploring this phenomenon in-depth with experts like Dave Kilcullen, Joel Brenner, Mike Janke and 15 other speakers at the Suits and Spooks conference in New York on Oct 5-6, 2013.

Wednesday, August 28, 2013

I recently heard Dave Kilcullen speak at the Google INFO Summit on illicit trafficking during the summer of 2012 and ever since then I've been trying to find a way to bring his experience and novel insight into conflict mechanics to a Suits and Spooks conference.

Today, I'm extremely pleased to announce that Dave will be speaking at Suits and Spooks New York on the topic "Out of the Mountains: a future of feral cities, urban systems under stress, and increasing overlaps between the real and virtual worlds."

Dave will also be included on a panel that I'll be moderating with Jonathan Hutson of the Satellite Sentinel Project, retired Navy SEAL Thomas Dzieran, Aaron Weisburd of Internet Haganah and John Scott-Railton of Citizen Lab.

Attendees will have an opportunity to purchase a signed copy of Dave's new book "Out of the Mountains":

"In his third book, David Kilcullen takes us out of the mountains: away from the remote, rural guerrilla warfare of Afghanistan, and into the marginalized slums and complex security threats of the world’s coastal cities, where almost 75 per cent of us will be living by mid-century. Scrutinizing major environmental trends — population growth, coastal urbanization, and increasing digital connectivity-- he projects a future of feral cities, urban systems under stress, and increasing overlaps between crime and war, internal and external threats, and the real and virtual worlds. Informed by Kilcullen’s own fieldwork in the Caribbean, Somalia, the Middle East and Afghanistan, and that of his field research teams in cities in Central America and Africa, Out of the Mountains presents detailed, on-the-ground accounts of the new faces of modern conflict –– from the 2008 Mumbai terrorist attacks, to transnational drug networks, local street gangs, and the uprisings of the Arab Spring."

We have only 18 seats remaining so register today and don't miss this extraordinary conference where both the speakers and the attendees engage in discussions in the private, exclusive setting of Soho House NYC on October 5-6, 2013.

Wednesday, August 21, 2013

My company recently published a report which discovered that aerospace companies with joint ventures in Russia and China are hacked 2.4 times more often than those companies who don't. However, hacking a network is small potatoes when compared with the amount of intellectual property that is transferred in other ways.

One of the more surprising discoveries that we made while researching that report had to do with a Russian institute that was set up primarily to engage foreign companies with various types of assistance: the Research Institute of Mathematic Modeling and Intelligent Control Systems. This institute is a part of St. Petersburg State Polytechnical University's Institute of International Educational Programs. The website is in English and is not listed on SPSPU's Russian home page so it's entire focus is foreign-based.

It conducts applied research in the following areas:

Distributed industrial controllers networks for decentralized control of distributed objects and technological processes

Intelligent multi-agent based control of android robots and cooperative behavior of robots network

Seismic analysis, simulation of crash-tests, modeling of nucleation and propagation of damage

Computation of cooling of electronic devices, heating and air-conditioning systems >> Development of graphic user interface to control virtual objects

Polygonal and NURBS-modeling

A few of the U.S. companies who work with RIMMICS include Boeing and GE. Foreign companies include EADS, Airbus, SAP, LG electronics and Bombardier. I wonder how many of those companies know that RIMMICS also provides avionics services, among others, for the Russian Ministry of Defense because it's not disclosed anywhere on the website.

More information on RIMMICS and other surprises that we've uncovered when investigating foreign vendors who service key U.S. enterprises will be disclosed at our upcoming Suits and Spooks luncheon at the Ritz Carlton Tysons Corner on Sept 10, 2013. Seats are extremely limited so register today.

Monday, August 19, 2013

I just learned that Lockheed Martin (NYSE:LMT) filed a trademark for "Cyber Kill Chain" (here and here). That came as quite a surprise since, as far as I know, I was the first to coin and publish that phrase when I described the process that Russian hackers used to attack Georgian government websites (see pages 4 and 15 in the Project Grey Goose Phase I report October 2008).

I also included the Cyber Kill Chain in my presentation about our findings at the Palantir Gov Conference October 2008.

While Lockheed Martin has certainly monetized the phrase (a $4.6B contract), and while I enjoy the fact that the phrase is appealing as well as popular in the InfoSec industry, I hope that Lockheed Martin's trademarking of "Cyber Kill Chain" is just for show and that they don't actually attempt to enforce it.

Sunday, August 11, 2013

My team and I have completed a report (High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures) on how much more vulnerable U.S. companies are to being hacked if they engage in joint ventures in Russia and China. Everyone's first response to that is probably - of course! However, our findings might surprise you.

Key Findings:

An aerospace company that has a joint venture in Russia and/or China is 2.4 times more likely to experience a cyber attack than a non-JV company.

Of the study’s control group of 12 aerospace companies that have joint ventures in China and Russia, 8 experienced a cyber attack (67%), including Alcoa, Boeing, General Electric, Honeywell, Pratt & Whitney, Rockwell Collins, Rolls Royce North America and Sikorsky. The other 4 aerospace companies, Eaton, Goodrich, Hamilton Sundstrand, and Parker Aerospace, have not publicly disclosed any cyber attacks.

Of the 21 aerospace companies in the study’s random group, only 6 reported or were claimed to have been the victim of a cyber attack (28%), including General Dynamics, Gulfstream, Lockheed Martin, Northrup Grumman, Orbital Sciences Corporation, and Raytheon.

U.S. companies engaged in joint ventures represent a profitcenter for international hacker groups.

This study shows that it is highly likely that the intellectual property owned by U.S. companies with Russian and Chinese JVs also represent high value targets for a variety of state and non-state actors worldwide.

It's unlikely that the Chinese or Russian government will utilize spear phishing or other low-level attacks against a U.S. company with a joint venture in their respective states when other superior means are available to them.

While official and non-official sources frequently assign attribution to a state military or foreign intelligence organization rather than a mercenary hacker group, the host governments of joint venture companies do not need to craft spear phishing attacks against U.S. companies who operate within their borders; who are required to employ their citizens who are technically PRC government employees; and whose communications networks are supervised and monitored by the State.

Wednesday, August 7, 2013

Evidently, the PLA is either the most incompetent Army in the world or is tasked with exploiting anything and everything that they can, including obvious honey pots. A paper and BlackHat talk by Kyle Wilhoit of Trend Micro got a lot of press including this article at MIT Technology Review "Chinese Hacking Team Caught Taking Over Decoy Water Plant".

My first reaction when I saw this headline was why would anyone bother? Every ICS expert that I know discounts the potential harm that a hacker might be able to do against a water system. My second reaction was - How the f__k would a hacker who knows SCADA systems not know that he was attacking a fake water plant?

I asked my friend Dale Peterson, a world-renowned authority in this area, the same question and he was as perplexed as me. A friend of his who attended BlackHat agreed. "Have you ever seen a plant with one pump?", he asked?

So what does this mean? In my opinion, it raises questions about who Comment Crew aka APT1 aka PLA Unit 61398 really is because they clearly don't know shit about Industrial Control Systems.

Tuesday, July 30, 2013

In anticipation of speaking at the AIAA conference in Los Angeles on August 12-14, I've been researching aviation companies with joint ventures in China and how many of them have reported being the victim of a cyber attack (successful or not). I identified 11 U.S. companies who were working with Chinese partners on the COMAC C919 aircraft and of those 11, 7 (64%) have publicly acknowledged being the victim of a cyber attack at some point in the last few years. No aggressors were named and some of the acknowledgments had to do with unsuccessful attempts only.

That percentage, in itself, didn't seem too surprising so I decided to look at 11 more randomly selected U.S. aviation companies and of those, only 3 (27%) publicly acknowledged being the victim of a cyber attack. However, after digging a little further, I learned that of those 3 companies, 2 (67%) also had joint ventures in China! Our sample suggests that aerospace companies who have joint ventures in China are being attacked more than twice as often as aerospace companies who don't have joint ventures in the PRC.

We aren't suggesting that China is behind the attacks. Rather, that technology which is valuable to China is also valuable to international hacker groups who believe that they can find a buyer for the stolen data.

As far as I know, this is the first study of its kind to demonstrate that a specific industrial sector (Aerospace) of high value to the Chinese government yields an increased risk of cyber attack to U.S. aerospace companies who are doing business in China. I'll be discussing the implications of this study during my presentation at the AIAA conference on August 12th and will be taking a deep dive into our research at a Suits and Spooks luncheon event in McLean, VA on Sept 10th. Our venue in McLean has limited seating so register early.

Tuesday, July 16, 2013

The cyber threat landscape is so much more complex than is commonly reported by the media, the government, and especially by information security vendors. China is no different. The goal of the Suits and Spooks conference in New York City is to begin the process of diagramming the most complete cyber threat landscape that has ever been done by bringing together 15 international authorities on different geographical regions to discuss and debate the issues.

One of our panels is "Cyber Attacks and China: Who Should Be Held Responsible", and includes:

Joel Brenner (moderator): former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA

Peiran Wang: Ph.D. candidate, The Center for Economic Law and Governance, Faculty of Law and Criminology, Vrije Universiteit Brussel

In addition to serving on this panel, each of the above panel members will be giving their own talks on related subjects. A full agenda for this two day event will be published soon. In the meantime, you may want to register for this unique and important conference before it sells out.

Thursday, July 11, 2013

Announcing the first Suits and Spooks Adversary R&D luncheon at the Ritz Carlton Tysons Corner in McLean, VA on Sept 10, 2013 from 11:30am – 1:30pm. A limited number of attendees will enjoy a delicious lunch and receive a briefing on Chinese and Russian R&D priorities in the areas of Information Security and Aerospace.

Focus and Methodology:

In order to fully understand today’s threat landscape, Taia Global created the world’s first database on adversary state R&D called Chimera. Taia’s researchers collected intelligence on fifty State Key Laboratories (SKLs) in China and ten research centers and institutes in the Russian Federation. These laboratories are top-tier R&D centers that receive funding from the private sector and government-sponsored entities, including the People’s Liberation Army and IT firms such as Huawei and ZTE in China, and the Federal Security Service in Russia. SKLs focus their R&D efforts on strategic research priorities as defined by the central government of the PRC. These priorities range from geosciences to molecular chemistry. However, Taia’s researchers focused their initial collection efforts on laboratories researching and developing Information and Telecommunications Systems and aerospace capabilities.

After collection and translation, the team categorized the data into broad research areas (space systems, quantum cryptography, microelectronics, etc.) before then addressing specific projects, such as ground-based satellite telemetry encryption platforms or field-programmable gate arrays. This type of categorization allowed Taia Global to effectively identify Chinese and Russian research on U.S. export controlled technologies and systems as defined by the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

Key Findings:

Chinese laboratories are centers of civil-military-corporate integration and nearly 40% of the labs are working on export-controlled technologies. A number of SKLs are working on classified military-specific R&D projects for the People’s Liberation Army. Not only do the SKLs work closely with the Chinese public and private sectors, they actively pursue joint-ventures and partnerships with foreign IT and aerospace companies.

Russian Federation institutes and research centers focus on civil and military developments and 50% of them are working on export-controlled technologies.

To Reserve Your Space

The luncheon and briefing will take place in the Plaza room of the Ritz Carlton Tysons Corner at 11:30am until 1:30pm. All attendees will receive a copy of the presentation along with recorded audio. Tickets are $128 and seating is limited to 48 people. Ensure your space by registering today.

Monday, July 1, 2013

There's no doubt that China is on an aggressive technology acquisition track and has been for 20+ years. Way too much emphasis has been placed on the vacuuming of data from U.S. companies through targeted attacks (otherwise known by the marketing buzzword "APT"). That's actually a terribly inefficient way to conduct the scale of tech transfer that China needs and a lot of the data that gets scooped up has low value, which is partly why I believe that hacker groups from many different countries (including China) are the main instigators behind those attacks rather than the PLA or a Foreign Intelligence Service. Small scale hacker groups are like burglars breaking into peoples' houses. They take as much as they can carry and then try to fence the goods for whatever they can get.

The Chinese government has crafted a much more elegant, legal, and precise way to obtain the exact type of technology that they need. They offer tax incentives and access to the biggest market in the world to U.S. companies who open their Research and Development centers in China. To date, over 1200 companies have taken China up on that offer including Boeing, Microsoft, Dell, Cisco, Intel, GE and many, many more. Part of the deal is that these U.S. companies must hire a percentage of Chinese engineers, who stay for a year or two; learn everything they can about the technology of interest, and then leave to work for a Chinese national champion firm or state-owned enterprise.

Here's a recap of my own first-hand experience with this process. As I've mentioned before, Taia Global has a product in development called Chimera. We are building the world's first and largest commercial database of adversary states' research and development priorities, focusing on technologies that are U.S. export-controlled. These represent the creme de la creme of targets for acts of industrial and cyber espionage. I've been searching for a data scientist with a background in document-matching. Being an ex-Microsoft employee, I started with the Microsoft Research website and learned that almost all of the researchers working on NLP and Search topics are at Microsoft Asia (in Beijing). I identified a couple of researchers in the precise field that I was looking for and sent email introductions to both. It turned out that both had left Microsoft Research and went to work for Huawei's internal R&D lab.

The U.S. government fueled by testimony from InfoSec industry experts can complain about Spear Phishing, APT, and Chinese hackers day-in and day-out but that won't begin to address the much more serious problem of how so many top U.S. firms willingly give their intellectual property away for the promise of cheap research costs and lucrative access to a massive Chinese market. What complaining about the Chinese government hacking U.S. corporations will do is keep the conversation in a politically advantageous zone and away from the political minefield that represents US companies exporting their R&D overseas. If you're looking to blame someone for the estimated $300 billion in IP loss that the U.S. suffered last year, start by taking a hard, honest look at what U.S. companies are willing to risk in order to do business in China.

----Votre Secrets, Monsieur?
"AS THE 20TH CENTURY DRAWS TO A CLOSE, a country's economic power has become more essential to its survival than its military prowess. This increased emphasis on market dominance means the world's intelligence services are refocusing their efforts from collecting the traditional political and military material to collecting economic, scientific, technological, and business information. One intelligence service that has become synonymous with this new effort is the French government's General Directorate of External Security (DGSE)."

"The idea of the French using their intelligence service to obtain scientific, economic, and technological information from friendly countries is not new. Returning to power in 1958, President Charles de Gaulle indicated that the Service for External Documentation and Counterespionage (SDECE), the then French intelligence agency, needed to focus on obtaining technological information about the United States and other Western countries."

WIKILEAKS: France leads Russia, China in Industrial Spying in Europe
"Back in 2001, European leaders accused the United States government of operating a vast industrial espionage network that was eavesdropping on European businesses and giving trade secrets to American companies. According to the latest WikiLeaks cable release, they should have been looking internally."

"France is the country that conducts the most industrial espionage on other European countries, even ahead of China and Russia, according to leaked U.S. diplomatic cables, reported in a translation by Agence France Presse of Norwegian daily Aftenposten's reporting."

"French espionage is so widespread that the damages (it causes) the German economy are larger as a whole than those caused by China or Russia," an undated note from the U.S. embassy in Berlin said."

Next Up for France: Police Keyloggers and Web Censorship
"Having just passed its super-controversial Internet "graduated response" law, you might think the French government would take at least a brief break from riling up the "internautes." Instead, the government is prepping a new crime bill that will, among other things, mandate Internet censorship at the ISP level, legalize government spyware, and create a massive meta-database of citizen information called "Pericles."

Friday, June 28, 2013

On June 18th, the Moscow trial of ChronoPay owner Paul Wroblewski revealed that the Federal Security Service of Russia (FSB Russia) hacked into Facebookservers to collect information used in Wroblewski’s trial. Wroblewski is currently on trial for conducting Distributed Denial of Service (DDoS) attacks on the servers of a rival online payment system in 2010. The backstory of the trial is rife with the usual Russian allegations of corruption and security service malfeasance. Indeed, on June 18th Wroblewski’s lawyer Pavel Zaitsev protested the inclusion of correspondence that the FSB obtained by hacking Wroblewski’s Facebook account. According to a letter presented to the court, the FSB first requested the information through official channels. The FSB then hacked into the Facebook account as part of“Operational Search Measures” when the request was denied. The court acknowledged that the FSB bypassed international conventions and treaties, however, the information was allowed as evidence.

The FSB Information Security Center—also known as Military Unit (Vch) 64829—conducted the Facebook intrusion. The Information Security Center is located in the FSB Counterintelligence Directorate—the 2nd Directorate—and monitors the Russian Internet. Taia Global analysis, however, long assessed the Information Security Center capable of offensive operations. Indeed, President Putin’s Edict No. 31 of 15 February 2013 tasked the FSB with establishing a nationwide system for protecting Russia’s critical information infrastructure. The mission included handling the exchange of information with foreign governments and authorities. Russian press speculates that the FSB Information Security Center—and other FSB components such as Scientific Research Center No. 3—will form the basis for the new structure.